NewsCline CLI Supply Chain Attack Clinejection Prompt Injection npm Token TheftAdnan Khan·high signalPrompt injection in Cline's AI issue triage bot stole npm token. [redacted] installed OpenClaw on 4000 machines. Root cause: AI processing untrusted GitHub issues.SourceSource pageAdnan Khan↳ Follow the threadShared entity / Policy dependencyponytail: A 'Laziest Senior Dev' Skill That Cuts Agent-Written Code by ~54% Is the Fastest-Rising Repo on GitHubGitHubShared entity / Stack layerOpenClaw ships broad July 6 platform update: GPT-5.6 support, external harness attach, hardened provider I/OReleasebotStack layer / Threat patternDefend against prompt injection with an embedding-scored Threat Library, not brittle regex rulesPromptHaloStack layer / Threat patternNSA issues official MCP hardening guidance after Amazon Q auto-execution CVEs (CVSS 8.5) enable AWS credential theftWizPolicy dependency / Threat patternPrismata Confines Cross-Site Prompt Injection by Treating Web Agents Like an XSS ProblemarXivPolicy dependency / Stack layerStrict data-flow tracking is the only defense that zeroes out ADI — spend its utility cost only on code execution and moneyarXiv 2607.05120Stack layer / Threat patternGoogle Pays a Record $250K Bounty for a Linux Guest-VM EscapeArs TechnicaPolicy dependency / Stack layerIAPS warns on Kimi Claw: security and governance risks of Chinese-hosted 'always-on' AI agentsIAPS